Not everything that “could have been used to 9/11” is allowable. We’ve already allowed so many violations of privacy and civil rights using that excuse.
Yes, you posited a hypothetical, I explained why I think your hypothetical is flawed. What’s the problem with that?
The entire purpose of hypothetical scenarios is to test responses to unusual circumstances. Pointing out that the scenario is unusual sheds no light on the subject.
Have you ever played the game, “Would you rather?” For example, would you rather have sex with the most disgusting person you know, but nobody will believe that you did; or would you rather NOT have sex with the most disgusting person you know, but everybody would think you did? Pointing out that both scenarios are outlandish does nothing to further the conversation.
It certainly cannot. And neither can this exploit: despite SMBv1 being in use since before the year 2000, and explored by countless millions of kids since then, this exploit was discovered by the public only after the NSA leak…hardly the inevitable discovery one might have pictured from reading your words.
So I’ll dispose of your “dictionary” claim the same way: nuh-uh.
Maybe I misunderstood your position. Are you saying the NSA should not disclose zero-day exploits because it might, at a later date, turn out to be useful for preventing a nuclear attack? Or are you saying, if the NSA already knew that a Russian nuclear missile system had a specific vulnerability, then they are entitled to make an exception and keep that one vulnerability a secret?
I was assuming the former, and my response is that it is not a good enough reason because such situations are highly unlikely.
If the latter, that would be more debatable. Or using the 9/11 example, if the NSA was already tracking a terrorist cell using a zero-day exploit, I could see them being very reluctant to disclose that exploit. Nevertheless, they need to be weighed against the risks of Russia/China/etc using the same exploit to steal classified information from US agencies, defense contractors, etc. At the very least, I don’t think the NSA can be trusted to be impartial in this judgment.
Let me rephrase the question: are there ANY circumstances in which you could see a legitimate case for the NSA not disclosing a zero-day that it knows about?
If there are such circumstances that you can imagine, how would you set a policy of what zero-days to hoard for later use, and which ones to make public?
I’m not sure that the NSA disclosing the vulnerability to Microsoft earlier would have helped very much. Microsoft would have issued a patch sooner, but once Microsoft issues a patch, malware writers can decompile it to reverse-engineer the original security issue, and then write malware to target it. Because so many people fail to update their systems, this is a very effective way of finding vulnerabilities for malware writers.
In this case, though, not necessarily. The patch could simply disable SMBv1 without exposing why it’s vulnerable.
There’s still stuff that uses SMB1, apparently. I don’t think MS could push out an automatic update that disabled it without pissing off a lot of people.
You seem to be trying really hard to find a contradiction where there isn’t one. There’s nothing contradictory about something being both short-lived and risky, as in my example of an explosive that is very unstable for a while and then goes inert. I never used the words “dangerous” and “useless” but if you want to put that interpretation on it, that works, too: if the average person found a large bottle of pure nitroglycerine in their basement, that would be both dangerous and useless to them, and I’m sure they would thank the bomb squad for safely taking it away.
Putting the analogies aside, “short-lived” means an exploit is likely to have a finite and probably quite a short lifetime, often measured in months or even weeks before it’s patched; “risky” means it still has lots of opportunity to cause huge amounts of damage – this particular virus seemed to get deployed all over the world within hours – and that it’s incredibly irresponsible to just leave it to chance whether a hacker might discover it before security people do, and to use as one’s justification the off-chance that maybe you might have a chance to use it as a spy tool before it’s fixed.
I don’t know that this exploit was based on any particular iteration of the SMB architecture – I thought it was a Microsoft implementation issue (I could be wrong, though). SMB goes back at least a decade before 2000, and has numerous other implementations besides Windows (Samba, NQ, etc.). Windows is the only one being talked about, and after the patch, SMB still works of course, just not with the vulnerability – all of which supports the premise that it’s a Microsoft implementation issue. In fact I just connected my newly patched Windows system to an old Unix/Samba system – works fine.
That said, its existence back to at least Windows XP does confirm that the vulnerability has been around a long time. Most vulnerabilities are quite short-lived, this one appears to have been around longer, but not necessarily for any reason other than chance. Microsoft issued 495 critical security updates to Windows 7 after the major rollup in SP1 – I can only imagine how many there were in total, especially if you include its predecessor, Vista. Lots of stuff gets found, a few things linger longer than most. Is there some reason to believe this was an exceptionally difficult or ingenious exploit?
Either way, the point about ethics remains. It was unethical to risk letting this get out into the wild either by leak or by chance discovery.
No. Regardless. The attack was created by modifying stolen NSA software and information. The legal precedent of holding an entity responsible for what a criminal does with other peoples/ products would cripple more industries, educational systems and other elements of our civilisation than can be listed here.
It is a Microsoft implementation: of SMBv1. See CVE-2017-0144.
Sure: the patch fixes SMBv1. But disabling SMBv1 (HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters, add a DWORD parameter called SMB1 with value 0x0 ) also works. Obivously better to patch because then you retain backwards compatinility with really old non-Windows SMBv1 installs.
Nun uh. No way. It was perfectly ethical.
It reminds me of 24 Days Later, the plot of which is … leftie types break into Gov facility where experiments on animals inc. nasty viruses. Nasty virus escapes and humanity (or at least Britain) is devastated.
Sure you blame the clueless lefities but who created the damn virus and didn’t protect it even close to responsibly
We all do, as a society. We won’t all reach the same conclusion, but so what? Is it your position that no one has any obligation to be ethical until we can reach unanimity on the definition of “ethical”?
The OP seems to be suggesting that the NSA should suffer the condemnation of the public or of the media. (“I haven’t really heard anyone screaming that the NSA did wrong”.) The poster to whom you replied appears to be responding in the affirmative, because in his view the NSA had a duty to behave ethically and they failed to do so. Whether this is true or not depends in part on the question of what is or isn’t ethical behavior, but it doesn’t require that someone “gets to define what constitutes ethical”.
By analogy, “Oh yeah, sez who?” wouldn’t be a pertinent reply to my claim that “murder is morally wrong”, unless I’m actually basing the claim on an appeal to some authority.
When there is less than near-unanimity, then it seems to me the argument ought to be less about certainty and more about argument.
Because you’re correct in assuming a near-universal agreement that murder is morally wrong.
But a similar confident declaration from me that abortion is morally wrong would absolutely earn rebuttals similar in spirit to “Sez who?”
Right?
Not really, apart from the fact there were places in 19th century London, Paris and New York where a midnight stroll would ensure one was never seen again, or that in Mao’s Republic millions died for utterly trivial reasons, in an earlier culture, the Roman Republic, a Citizen could kill practically any non-Roman Citizen practically at will. Including his own family.
One choleric fellow fed an unsatisfactory slave alive to the eels in his fishpond without it leading to his being cut in public by the best families.
Where is this mission statement posted? It is hard to give an opinion without reading the entire thing in context. That said, I am OK with my government exploiting foreign resources if their goal is to protect me and mine. I don’t think they should exploit for gain, neither gain for themselves nor for US citizens, but protecting us is their mission and the line they shouldn’t cross moves with the threat.
If the government holds a zero-day exploit, their primary goal should be to protect US citizens from it. If they can do this by working with Microsoft (or whoever) to roll out the patch quickly in the event that it is exploited by adversaries, but in the meantime they will exploit it against our adversaries, then all is right with the world. To sit on the exploit and not take any steps at defending our interests in this regard is criminal in my opinion. I am not saying that this was the case here.
And this is why the answer to the thread is no.
In Post No. 6.
Wait, a doper finds a “sketch cache” that seems to show that their values are (used to be?) “exploiting the foreign communications of adversaries” and you are asking me if I am OK with it? Where is this “sketch cache?” Anybody have a link? Why should I even believe that the cache has anything to do with the NSA and their official mission statement?
I’m hoping for some clarification here because I don’t really understand what is meant by “held responsible” in this case.